WordPress admins utilizing the Litespeed Cache plugin should replace their websites with the most recent plugin launch to handle a vital vulnerability. Exploiting the flaw permits an unauthenticated attacker to take management of goal web sites.
LiteSpeed Cache Plugin Vulnerability May Permit Web site Takeover
The safety researcher John Blackbourn from PatchStack found a vital privilege escalation vulnerability within the LiteSpeed Cache plugin.
LiteSpeed Cache for WordPress gives an unique server-level cache and quite a few web site optimization options. The plugin boasts over 5 million lively installations, indicating its recognition amongst WordPress customers. Nonetheless, it additionally exhibits how any vulnerability within the plugin probably threatens thousands and thousands of internet sites.
Particularly, the vulnerability existed within the plugin’s crawler characteristic that displays a consumer simulation performance to carry out crawler requests as authenticated customers. Nonetheless, resulting from a weak safety hash on this characteristic, the plugin allowed an unauthenticated adversary to spoof an authenticated consumer and acquire elevated web site privileges. The worst exploitation situations even allowed the set up of malicious plugins and a whole web site takeover.
This vulnerability, recognized as CVE-2024-28000, obtained a vital severity ranking and a CVSS rating of 9.8. It affected all plugin releases till 6.3.0.1.
Detailed technical evaluation of the vulnerability is offered within the latest publish from PatchStack.
Vulnerability Patched With Newest Plugin Launch
Upon noticing the vulnerability, Blackbourn responsibly disclosed the flaw through Patchstack to the plugin builders. In response, the builders patched the vulnerability with the LiteSpeed Cache plugin model 6.4. The researcher additionally obtained a $14,400 bounty below the Patchstack Zero Day program for this bug report.
For the reason that patch has arrived, all WordPress admins should replace their websites with the most recent plugin launch to keep away from potential threats. Ideally, customers ought to replace to the LiteSpeed Cache plugin model 6.4.1, which seems as the most recent launch on the plugin’s official web page.
Tell us your ideas within the feedback.